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METHOD AMD APPARATUS FOR GENERATING A CRYPTOGRAPHIC 
KEY 

5 

The present invention relates to a method and apparatus for generating a 
cryptographic key. 

A key feature associated with cryptography is the provision of a trust authority, 
10 where a trust authority is responsible for issuing private and public keys to 
appropriate individuals/entities. However, as a private key, is by its nature, 
private to a specific individual/entity it is essential that a user can trust that the 
trust authority will not disclose or otherwise use the user's private key in an 
inappropriate manner. However, it can be difficult for a user to build a strong 
1 5 trust relationship with a single trust authority. 

One solution to this problem has involved the use of a plurality of trust 
authorities to generate individual parts of a private key, where no one trust 
authority has access to the complete private key. In particular, one solution 
20 involves the use of a shared secret in which a group of trust authorities use 
the shared secret to generate their portion of the private key. However, this 
solution requires the use of a trusted secret distributor. 

Another solution involves each trust authority providing a portion of a private 
25 key based upon the identity of the user where the identity of the user is the 
same for each trust authority. However, in many applications a user may have 
different identities when dealing with the different trust authorities. 

It is desirable to improve this situation. 
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In accordance with a first aspect of the present invention there is provided a 
computer apparatus comprising a processor arranged to generating a 
cryptographic key using a first data set that corresponds to a first identifier, a 
second data set that corresponds to a first trusted party's public key, a third 
5 data set that corresponds to a second identifier and a fourth data set 
corresponds to a second trusted party's public key. 

Preferably the first data set is a first public parameter. 

10 

Suitably the second data set is a second public parameter. 

Suitably the first data set is a first private parameter generated by the first 
trusted party. 

15 

Preferably the third data set is a third public parameter. 

Suitably the fourth data set is a fourth public parameter. 

20 Suitably the third data set is a third private parameter generated by the 
second trusted party. 

Suitably the cryptographic key is an encryption key. 

25 Suitably the processor is arranged to encrypt a fifth data set with the 
encryption key. 

Suitably the processor is arranged to encrypt the fifth data set with the 
encryption key and a random number. 

30 



l. 



300201957 

3 

Suitably the processor is arranged encrypt the fifth data set using a bilinear 
pairing, such as a Tate or Weil pairing, when operating on the first and 
second data sets and the third and fourth data sets. 

5 Suitably the cryptographic key is a decryption key. 

Suitably the processor is arranged to decrypt an encrypted data set with the 
decryption key. 

10 Suitably the processor is arranged decrypt the encrypted data set using a 
bilinear pairing, such as a Tate or Weil pairing, when operating on the first 
and second data sets and the third and fourth data sets. 

Suitably the cryptographic key is a signature key. 

15 

Suitably the processor is arranged to sign a sixth data set with the signature 
key. 

Suitably the processor is arranged to sign the sixth data set with the signature 
20 key and a random number. 

Suitably the processor is arranged to sign the sixth data set using a bilinear 
pairing, such as a Tate or Weil pairing, when operating on the first and 
second data sets and the third and fourth data sets. 

25 

Suitably the cryptographic key is a verification key. 

Suitably the processor is arranged to verify a signed data set with the 
verification key. 

30 
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Suitably the processor is arranged to verify the signed data using a bilinear 
pairing, such as a Tate or Weil pairing, when operating on the first and 
second data sets and the third and fourth data sets. 

5 In accordance with a second aspect of the present invention there is provided 
a method comprising generating a cryptographic key using a first data set that 
corresponds to a first identifier, a second data set that corresponds to a first 
trusted party's public key, a third data set that corresponds to a second 
identifier and a fourth data set that corresponds to a second trusted party's 
10 public key. 

Preferably the method further comprises encrypting a fifth data set with the 
cryptographic key. 

15 Preferably the fifth data set is encrypted using a bilinear pairing, such as a 

Tate or Weil pairing, when operating on the first and second data sets and the 
third and fourth data sets. 

In accordance with a third aspect of the present invention there is provided a 
20 computer system comprising a first computer entity arranged to generate a 
first data set that corresponds to a first trusted party's public key; a second 
computer entity arranged to generate a second data set that corresponds to a 
second trusted party's public key; and a third computer entity arranged to 
generate a cryptographic key using a first identifier in conjunction with the first 
25 data set and a second identifier in conjunction with the second data set. 

Preferably the third computer entity is arranged to encrypt a third data set with 
the cryptographic key. 

30 Preferably the third computer entity encrypts the third data set using a bilinear 
pairing, such as a Tate or Weil pairing, when operating on the first and third 
data sets and the second and fourth data sets. 
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Preferably the first data set and second data set are public data parameters. 

Preferably the public data parameters include an elliptic curve and a 
5 generator point on the elliptic curve. 

For a better understanding of the present invention and to understand how 
the same may be brought into effect reference will now be made, by way of 
example only, to the accompanying drawings, in which:- 

10 

Figure 1 illustrates a computer system according to an embodiment of the 
present invention; 

Figure 2 illustrates a computer system according to an embodiment of the 
15 present invention. 

Figure 1 shows a first computer entity 10, a second computer entity 20, a third 
computer entity 30 and a fourth computer entity 40 connected via a network 
50, for example the Internet. 

20 

The first computer entity 10 represents a first trust authority 60, for example a 
company, the second computer entity 20 represents a second trust authority 
70, for example a division within the company and the third computer entity 30 
represents a user 80, for example a worker within the company. The fourth 
25 computer entity 40 represents, for example, a business partner 90 of the 
company that wishes to interact with the user 80. 

The first, second, third and fourth computer entities 10, 20, 30, 40 are 
conventional computing devices as is well known to a person skilled in the art. 

30 

The first computer entity 10 and second computer entity 20 form a trust 
authority hierarchy in which the first computer entity 10 acts as a root trust 
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authority and the second computer entity 20 acts as a middle level trust 
authority, thereby forming a public-key infrastructure. As described in detail 
below, on receipt by the second computer entity 20 of a master private key 
generated by the first computer entity 10 the second computer entity 20 is 
able, using identifier-based cryptography, to generate a private/public key pair 
without further interaction from the first computer entity 10, where the public 
key can be verified, without the need for digital certificates, such that the 
verifier can be convinced that the public key could only be generated with 
knowledge of the master private key generated by the first computer entity 10. 

The following embodiment utilises identifier-based cryptography using Tate 
pairing to provide multiple levels of trust authorities, however other types of 
pairing may also be used, for example Weil pairings. 

15 For the purposes of this embodiment G1 and G2 denote two groups of prime 
order q in which the discrete logarithm problem is believed to be hard and for 
which there exists a computable bilinear map, for example, a Tate pairing. 



10 



20 



i.e. f : G-! x Gi > G. 



2 



Gi is a group of points on an elliptic curve and G 2 is a subgroup of a 
multiplicative group of a finite field. 

As the mapping between Gi and G 2 is bilinear exponents/multipliers can be 
25 moved around. For example if a, b, c e F q and P, Q e Gi then 

t(aP, bQ) c = t(aP, cQ) b = t(bP, cQ) a = t(bP, aQ) c = t(cP, aQ) b = t(cP, bQ) a 
= (abP, Q) c = t(abP, cQ) = f(P, abQ) c = t(cP, abQ) 

30 = t(abcP, Q) = t(P, abcQ) = t(P, Q) abc 
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Additionally, for the purposes of this embodiment the following cryptographic 
hash functions are defined: 

Hi :{0,1}*— ->d 

5 H 2 :{0,1}* >F„ 

H 3 : G 2 >{0,1}* 

To provide a trust hierarchy a public/private key pair is defined for a trust 
authority where the public key R is: R e G1 and the private key s is: s e ¥ q 
10 with R=sP where P, a public parameter, is: Pe 61. 

Additionally, an identifier based public key Qi D / private key S )D pair is defined 
where the Qid, S iD e Gi where the trust authority's public/private key pair 
(Rta.s) is linked with the identifier based public/private key by 

15 

Sid = sQid and Qid = Hi (ID) 
where ID is an identifier string. 

20 Accordingly, to allow a holder of the private part s of the trust authority's 
public/private key pair to sign a bit string, where m denotes the message to be 
signed it is necessary to compute V = sH^m). Verification requires that the 
following equation is satisfied: 

25 t(P, V) = t(R, H,(m)) 

This is based upon the mapping between Gi and G 2 being bilinear 
exponents/multipliers, as described above. That is to say, 



30 



f(P, V) = f(P, sH, (m)) 
= f(P, Hi {m)) s 
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= f(sP, Hi (m)) 
= f(R,H 1 (m)) 

In particular identifier based encryption allows the holder of the private key S )D 
5 of an identifier based key pair to decrypt a message sent to them encrypted 
using the associated public key Qid • 

The message to be encrypted is denoted by m. 

1 0 First compute U= rP where r is a random element of ¥ q . 

Then compute V = m © H 3 (t(R, rQi D )) 

This results in the generation of the ciphertext U and V. 

15 

Decryption of the message is performed by computing: 

V® H3 (t(U, S ID )) = V ® Hz{t{rP, sQ, D )) 

= V © H 3 (f(P, QdD 
20 = y © H 3 (f(sP, fQ, D )) 

= V © H 3 (fXR /Oid)) 
= m 

Correspondingly identifier based signatures using Tate pairing can be 
implemented. For example: 

25 

First compute r = f(P, pf 

where k is a random element of Fg . 

Then apply the hash function H 2 to m\\r (concatenation of m and r) to obtain h 
= H 2 (m\\r). 
30 Then compute 

U = hS iD + kP. 
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Thus generating the output U and h as the signature on the message m. 
Verification of the signature can be established by computing: 

5 

r=t(U,Pyt{Q m , R? 
where the signature can only be accepted if h = H 2 (m\\r). 

10 Based upon the identifier-based cryptography described above the root trust 
authority (i.e. the first trust authority 60) can be linked to a pseudo master 
private key generated by the middle level trust authority (i.e. the second trust 
authority 70) such that the link can be verified without the need for any digital 
certificates, as will now be described. 

15 

Based upon the above nomenclature table 1 lists the standard and ID based 
public/private key pairs that are set up for the first trust authority 60 and the 
second trust authority 70 where P, a pubic parameter, is an arbitrary point on 
an elliptic curve. 

20 



Entity 


Standard 
Private Key 


Standard 
Public key 


ID Based 
Private Key 


ID Based Pubic 
key 


First TA 


s^ 


R TA i=SiP 






Second TA 


s 2 


Rta2=s 2 P 


Sta2=Si Ota2 


Ota2= Hi(TA2) 



Table 1 



The second trust authority 70 creates a pseudo-master private key selecting a 
25 random number r where r e F„; the random number r is the pseudo-master 
private key. Once the pseudo-master key has been selected the second trust 
authority 70 generates the following public keys: 



r 
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rsiOrA2 , rP and /Ota2 

It should be noted however, that even though in the above example the 
5 second trust authority 70 has created a single pseudo-master private key the 
second trust authority 70 could generate any number of pseudo-master 
private keys. 

The user 80 registers with the second trust authority 70 to obtain an 
10 associated private key for the user's public key, where the user's public key 
could be any form of identifier, for example the user's name 'Bob', where the 
public key Hi(Bob) = Q Bo b would map to a point on an elliptic curve defined by 

15 On registration, the second trust authority 70 provides the user 80 with the 
appropriate private key, which would be a combination of the user's public key 
and the second trust authority's pseudo private key i.e. rQ B0 b- 

Consequently, utilizing the Tate pairing algorithms described above it is 
20 possible to verify the 'meaning' of rsQrA2, rP and rCfrfa using: 

t(rP, Qta2)= t(P, rChA2) and 
f(P, rsQrfiz) = t(sP, rQj^) 

25 Further (P.sP), in the above ID-based encryption and ID-based signature 
algorithms, can be replaced with either (P, rP) or (Ota2. rOrA2), as well as 
replace t(Q\ D , sP) = t(sQ tD ,P) with t{Q Bo t>,rP) = t{rQ Bo b, P) or f(Q Bo b, aOta2) = 
f(rQBob, Ota2)- 

30 Figure 2 illustrates the same computer network as that shown in figure 1 with 
the addition of a fifth computer entity 100. The fifth computer entity 100 acts 
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as another middle level trust authority (i.e. a third trust authority 200) 
independent of the second computer entity 20 where the first computer entity 
10 is the root trust authority for both the second computer entity 20 and the 
fifth computer entity 100. As with the second computer entity 20 on receipt by 
the fifth computer entity 100 of a master private key generated by the first 
computer entity 10 the fifth computer entity 100 is able to generate a 
private/public key pair as described above. The network 50 could include 
additional middle level trust authorities, however, for the purposes of this 
embodiment only two middle level trust authorities will be described. 

As described below, the user 80 has an independent identity associated with 
each middle level trust authority 70, 200, where each independent identity 
corresponds to a public key of the user 80. Each middle level trust authority 
70, 200 provides a private key corresponding to the respective user's public 
key, as described above. To send an encrypted message to the user 80 the 
business partner 90 encrypts the message with a combination of the user's 
public keys associated with the respective middle level trust authorities 70, 
200 (i.e. the user's identities associated with the respective trust authorities) 
and the respective trust authority's public key. To recover the encrypted 
message the user 80 decrypts the message with a combination of the same 
trust authority's public keys and the user's corresponding private key. 

To sign a message a user 80 uses each trust authority's public key in 
combination with the user's associated private keys. To verify the signature a 
verifier uses a combination of the trust authority's public key with the user's 
corresponding public keys. 

The following embodiment utilises identifier-based cryptography using Tate 
pairings to allow the generation of a public key that is a combination of 
independent identities associated with respective middle level trust authorities 
70, 200. 



r 
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The second trust authority 70 has a public key R T m and a corresponding 
private key Si where Rtai = s^P, with P being a point on an elliptic curve, as 
described above. 

5 The third trust authority 200 has a public key R T az and a corresponding private 
key s 2 where R T A2 = s 2 P, with P being a point on an elliptic curve, as 
described above. 

For n trust authorities the public/private key pair could be generalised by: 

10 

f?TA/ = SiP 

Associated with each middle level trust authority 70, 200 the user 80 has a 
independent identity, that is to say with the second trust authority 70 the user 
15 80 has an identity ID1, for example the user's name 'Bob', with third trust 
authority 200 the user 80 had another identity ID2, for example the name of 
the company the user 80 works for. 

Accordingly, the user 80 has independent identity based private keys and 
20 public keys with each middle level trust authority 70, 200, where the user's 
identity based public key with the second trust authority 70 is Qidi = Hi(ID1) 
and the user's identity based private key with the second trust authority 70 is 
Si, where Si = SiQ )D i and the user's identity based public key with the third 
trust authority 200 is Q| D 2 = Hn(ID2) and the user's identity based private key 
25 with the third trust authority 200 is S 2 , where S 2 = s 2 Qi D2 . 

To allow the business partner 90 to encrypt a message m for the user 80 
based upon the independent identities associated with each middle level trust 
authority 70, 200 the business partner 90 generates ciphertext V and U, 
30 where: 
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and 

U = rP 

5 

where r is a random number selected by the business partner 90. 
Decryption is performed by computing: 

10 m = \Z©H 3 (^.i>,)) 

Accordingly, message m can only be decrypted with knowledge of both 
private keys Si, S 2 . 

15 The following embodiments utilises identifier-based cryptography using Weil 
pairings to allow the generation of a public key that is a combination of 
independent identities associated with respective middle level trust authorities 
70, 200. In a more general case, the trusted authorities can be totally 
independent to each other and there is no needs for any business relationship 

20 to exist between the trust authorities, in fact the trust authorities do not need 
to know each other. For example the trust authorities may not belong to the 
same root trusted authority. Indeed, one or more of the trust authorities could 
be a root authority. 

25 The first embodiment utilizing Weil pairings allows the business partner 90 to 
encrypt a message m e {0,1}" for the user 80, which the user can decrypt if 
the user 80 has a number of private keys d iDi (/' = 1, .... n), each respectively 

issued by a trust authority TAj (/ = 1 n) corresponding to a public key Qo (/ 

= 1 n). 

30 
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Each trust authority chooses a large (at least 512-bits) prime p such that p = 2 
mod 3 and p = 6g -1 for some prime q > 3. Further, E, an elliptic curve, is 
defined by y 2 = x 3 + 1 over F p . 

5 An arbitrary point on the elliptic curve is chosen, where P e E/F p of order q. 

Four hash functions are defined: 
Hi:{0,1}*-»F P ; 
H 2 : F p j -> {0,1}" for some n; 
10 H 3 :{0,1}"x{0,1}"-»ZV 
and tf 4 : {0,1} n ->{0,1}". 

Each trust authority TAj (/ = 1, .... n) respectively selects a random s j r e Z q 
and set P pub j = [s/]P. 

15 

The user 80 registers with each respective trust authority, providing each trust 
authority with an appropriate independent identifier, IDi (/'= 1, .... n) e {0,1}*. 

Each trust authority then computes an appropriate MapToPoint (Hi(IDj)) = Qidi 
20 g E/Fp of order q and set the user's corresponding private key do to be d\ 0 \ = 

[S/JQlDi- 

To encrypt a message, m, the business partner 90: 

25 Computes a MapToPoint (Hi(IDj)) = Qidi (/ = 1 . .... n) e E/F p of order q. 
Selects a random number <re {0,1}". 

Computes r = H 3 (<r, m), where r is a random element that ensures only 
someone with the appropriate private key can decrypt the message, m. 
Computes U = [r]P. 
30 Computes g ID = n ( i <, / <; n ) e(Q ia , P^) e F p > . 
Computes V= cr®H 2 {g^- 
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Computes W = m ©H 4 (cr). 

Sets the ciphertext to be C = (I/, V, W). 

To decrypt the message, m, the user 80: 

Tests U e E/F p of order g; 
Computes x = e(2 ( i ^ , < n) did* 
Computes cr = V©H 2 (x); 
Computes m= W® Ha(o); 
Computes r - H 3 (cr, m); 
Checks 1/ = [r]P. 

The second embodiment utilizing Weil pairings allows a user 80 to sign a 
message, m. 

The user signs a message m e {0,1}" under a number of private keys dp (/ = 

1 n), each respectively issued by a respective trust authority, i.e. TAj (/ = 

1 n ) corresponding to a public key Q 1Di (/= 1, .... n). The business partner 

90 verifies the signature by using both the user's public keys corresponding to 
the signing private keys and the TAj's public keys. 

As above, each trust authority choose a large (at least 512-bits) prime p such 
that p = 2 mod 3 and p = 6g -1 for some prime q > 3 with E being defined by 
y 2 = x 3 + 1 over F p . 

An arbitary point on the elliptic curve is chosen where P e E/F p of order q. 

Two hash functions are chosen: 
Hi: {0,1}* -+ F p ; 
andH 2 :{0,1}"x{0,1}"^ZV 
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Each trust authority TAj (/ = 1 n ) respectively selects a random s, e Z\ 

and set P pubi = [s]P. 

The user 80 registers with each respective trust authority providing each trust 
authority with an appropriate independent identity i.e. IDj (/'= 1 n) e {0,1}*. 

Each trust authority then computes an appropriate MapToPoint (H^ID,)) = Q, Di 
e E/Fp of order qr and sets the user's private key d| Di to be d ]Di = [s,]Q| Di . 

To sign a message, m, the user 80: 

Selects a random z e {0,1}"; 
Computes U = [z]P; 
Computes /7 = H 2 (m, U); 

Computes V= [h] S (1 ^< n) d, Di + [z] 2 (1s/ < n) P pub/ 
Ships to the business partner m, U and V. 

To verify the signature (m, U, 10 the business partner 90: 

Computes MapToPoint (Hi(IDj)) = Q, D| e E/F p of order q; 

Computes h = H 2 (m, U); 

Computes x = e(P, V); 

Computes y = n (1 <,<„) §(P publ , [h]Q iDi + U); 

Checks x == y. 

The third embodiment utilizing Weil pairing provides a further embodiment 
that allows a user 80 to sign a message. 

The user 80 signs a message m e {0,1}" under a number of private keys d\ D{ (/ 
= 1, .... n), each respectively issued by a respective trust authority i.e. TAj (/' = 
1 n) corresponding to a public key Q lDi (/= 1, n ). The business partner 
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90 verifies the signature by using both the user's public keys corresponding to 
the signing private keys and the TAj's public keys. 

As above, each trust authority choose a large (at least 512-bits) prime p such 
that p = 2 mod 3 and p = 6q -1 for some prime q > 3 with E being defined by 
5 y 2 = x 3 + 1 over F p . 

An arbitrary point P on the elliptic curve is chosen, where P e E/F p of order q. 

Two hash functions are chosen: 
10 /^{O.l}* ->F P ; 

and H 2 : {0,1}" x {0,1} n -> Z\. 

* 

Each trust authority TA| (/ = 1 n) respectively selects a random s, e Z q 

and set P pub ,- = [sj\P. 

15 

The user 80 registers with each respective trust authority providing each trust 
authority with an appropriate independent identity i.e. IDj (/= 1, n) e {0,1}*. 

Each trust authority computes an appropriate MapToPoint (Hi(IDj)) = Qiq e 
20 E/Fp of order q and sets the private key d (D i to be d\ 0 ; = [s/]Qi D i- 

To sign a message, m, the user 80: 

Selects a random k e {0,1}"; 
25 Computes e = e(E(i ^ / < n) d\a, P); 
Computes r = e fc ; 
Computes h = H 2 (m, r); 
Computes S = ([k] - [ft]) T.^^i< n )d\ D ; 
Ships to the business partner m, ft and S. 

30 

Verify the signature (m, h, S) the business partner 90: 
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Computes MapToPoint (Hi(IDO) = Qua e E/F p of order qr; 
Computes e' = n (1 </< n) e(QiDi, Ppubi) - may be precomputed; 
Computes f = e(S, P)e ,h ; 
Checks h == H 2 (m, f). 
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1 . Computer apparatus comprising a processor arranged to generating 
a cryptographic key using a first data set that corresponds to a first 
identifier, a second data set that corresponds to a first trusted 
party's public key, a third data set that corresponds to a second 
identifier and a fourth data set corresponds to a second trusted 
party's public key. 

2. Computer apparatus according to claim 1 , wherein the first data set 
is a first public parameter. 

3. Computer apparatus according to claim 1 or 2, wherein the second 
data set is a second public parameter. 

4. Computer apparatus according to claim 1 or 2, wherein the first 
data set is a first private parameter generated by the first trusted 
party. 

5. Computer apparatus according to any of claims 1 to 4, wherein the 
third data set is a third public parameter. 

6. Computer apparatus according to any of claims 1 to 5, wherein the 
fourth data set is a fourth public parameter. 

7. Computer apparatus according to any of claims 1 to 5, wherein the 
third data set is a third private parameter generated by the second 
trusted party. 

8. Computer apparatus according to any of the preceding claims, 
wherein the cryptographic key is an encryption key. 
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Computer apparatus according to claim 8, wherein the processor is 
arranged to encrypt a fifth data set with the encryption key. 

Computer apparatus according to claim 9, wherein the processor is 
arranged to encrypt the fifth data set with the encryption key and a 
random number. 

Computer apparatus according to any of claims 9 to 10, wherein the 
processor is arranged encrypt the fifth data set using a bilinear 
pairing when operating on the first and second data sets and the 
third and fourth data sets. 

Computer apparatus according to claim 1 1 , wherein the bilinear 
pairing is either a Tate or Weil pairing. 

Computer apparatus according to any of claims 1 to 7, wherein the 
cryptographic key is a decryption key. 

Computer apparatus according to claim 13, wherein the processor 
is arranged to decrypt an encrypted data set with the decryption 
key. 

Computer apparatus according to claim 14, wherein the processor 
is arranged decrypt the encrypted data set a Tate or Weil pairing 
when operating on the first and second data sets and the third and 
fourth data sets. 

Computer apparatus according to any of claims 1 to 7, wherein the 
cryptographic key is a signature key. 

Computer apparatus according to claim 16, wherein the processor 
is arranged to sign a sixth data set with the signature key. 
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1 8. Computer apparatus according to claim 1 7, wherein the processor 
is arranged to sign the sixth data set with the signature key and a 
random number. 

19. Computer apparatus according to claims 16 or 17, wherein the 
processor is arranged to sign the sixth data set using a bilinear 
pairing when operating on the first and second data sets and the 
third and fourth data sets. 

20. Computer apparatus according to claim 19, wherein the bilinear 
pairing is either a Tate or Weil pairing. 

21 . Computer apparatus according to claims 1 to 7, wherein the 
15 cryptographic key is a verification key. 

22. Computer apparatus according to claim 21 , wherein the processor 
is arranged to verify a signed data set with the verification key. 

20 23. Computer apparatus according to claim 21 , wherein the processor 
is arranged to verify the signed data using a bilinear pairing when 
operating on the first and second data sets and the third and fourth 
data sets. 



25 24. Computer apparatus according to claim 23, wherein the bilinear 
pairing is either a Tate or Weil pairing. 

25. A method comprising generating a cryptographic key using a first 
data set that corresponds to a first identifier, a second data set 
30 corresponds to a first trusted partes public key, a third data set that 

corresponds to a second identifier and a fourth data set that 
corresponds to a second trusted party's public key. 
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26. A method according to claim 25, further comprising encrypting a 
fifth data set with the cryptographic key. 

5 27. A method according to claim 26, wherein the fifth data set is 

encrypted using a Tate or Weil pairing when operating on the first 
and second data sets and the third and fourth data sets. 

28. A computer system comprising a first computer entity arranged to 
10 generate a first data set that corresponds to a first trusted party's 

public key; a second computer entity arranged to generate a 
second data set that corresponds to a second trusted party's public 
key; and a third computer entity arranged to generate a 
cryptographic key using a first identifier in conjunction with the first 
15 data set and a second identifier in conjunction with the second data 

set. 

29. A computer system according to claim 28, wherein the third 
computer entity is arranged to encrypt a third data set with the 

20 cryptographic key. 

30. A computer system according to claim 29, wherein the third 
computer entity encrypts the third data set using a bilinear pairing 
when operating on the first and third data sets and the second and 

25 fourth data sets. 

31 . A computer system according to claim 30, wherein the bilinear 
pairing is either a Tate or Weil pairing. 
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A computer system according to claim 28, wherein the first data set 
and second data set are public data parameters. 
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A computer system according to claim 28, wherein the public data 
parameters include an elliptic curve and a generator point on the 
elliptic curve. 
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ABSTRACT 

METHOD AND APPARATUS FOR GENERATING A CRYPTOGRAPHIC 
5 KEY 

A computer system comprising a first computer entity arranged to generate a 
first data set; a second computer entity arranged to generate a second data 
set; and a third computer entity arranged to generate a cryptographic key 
1 0 using a first identifier in conjunction with the first data set and a second 
identifier in conjunction with the second data set. 
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Figure 1 
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